EO Advisor

I Don’t Negotiate with Terrorists

But my boss might...
State law prohibits agencies from negotiation with ransomware hackers

North Carolina just became the first state to enact a law prohibiting anyone but designated State authorities from making ransomware payments when the State of NC is attacked.

In fact, NC government agencies and local municipalities can’t even speak to anyone engineering such an attack on the State of NC.

This is good for a few reasons, mainly that trained professionals (the North Carolina State Chief Information Officer (CIO) and their team) are going to be running point on any ransomware attacks against the state—thus defending taxpayers’ wallets. 

We saw several confusing headlines about this new law, including “new state law prevents governments from paying for hacked data in attacks”; “Not in My Backyard: NC Becomes First State to Prohibit Public Entities from Paying Ransoms”. Headlines and articles such as these are what prompted us to write this article in an effort to clarify things. 

The second of these articles—which is authored by National Law Review—goes on to say “Lawmakers in North Carolina and Pennsylvania have suggested that if hackers know that a state or local agency is prohibited by law from paying a ransom, the hackers will have no financial incentive to attack such agencies and accordingly will look for victims in other states.”  

This seems to imply that the State of NC Government as a whole is legally NOT allowed to pay the ransom in any way.  

We read those articles and thought: OMG, this is a terrible idea… a hacker is going to see this legislation and think “let’s see about that” … OR “Everybody’s got a plan ‘till they get punched in the face… 

As a blanket policy, not negotiating with terrorists is an intriguing topic—fraught with debate, and worth more words than we have space or expertise for. (Think-tanks, political scientists, and experts pontificate in abundance elsewhere.) 

Preparing for, and responding to a ransomware attack is not for the faint of heart, and definitely not for a novice. North Carolina has recognized this—perhaps soon to be followed by a few other states—and we wanted to share that in an effort to encourage private entities to do the same.  

In reading further and reviewing the actual legal text, it seems evident that the State of NC is really just trying to present a unified and educated response to any Ransomware incidents that target state agencies and local governments in an effort to gain access to the public purse. 

The law literally reads as:  

“No State agency or local government entity shall submit payment or otherwise communicate with an entity that has engaged in a cybersecurity incident on an information technology system by encrypting data and then subsequently offering to decrypt that data in exchange for a ransom payment” 

According to the North Carolina State Representative Jason Saine (Senior Chairman of the NC House Appropriations Committee, and Member of the NC House IT Committee):

One of the most compelling reasons to enact such legislation is because we realized cities and counties, which the State has purview over, were increasingly becoming easy targets of opportunity. Hackers realized that these entities were easy targets and with no incentive not to pay, it was easier for local governments just to pay the ransom. 

“By legally denying the ability for local government units to pay the ransom, we have at least notified hackers that there are more cooperative targets elsewhere.” 

If you have something to lose financially, then you are a potential target for ransom. Period.  

From the hacker’s perspective, so as long as there are other prey wandering the savannah who look more vulnerable, more “cooperative,” and ultimately more attractive than your organization, you’re probably safe (or safer than others, anyhow), but we wouldn’t exactly call that a strategy to hang your livelihood on. 

Making a plan to prevent and respond to ransomware isn’t “simple” but it can be as “easy” as contacting an experienced professional. 

  • This field is for validation purposes and should be left unchanged.

Like this article? Read more news about .
Security Alert
LOG4J Security Alert
we're referencing CVE-2021-44228
Cyber-Risk Insurance Documents
Cyber-Risk Insurance
You can outsource responsibility, but not liability.